2

Since one of the 10 domains on the CISSP is legal/governance, I figured this would be the best place to ask.

I recently did a security assessment for a non-profit. I found that their systems needed some attention. I want to make it clear to them that just because your network has no sensitive data on it, you are still at risk. One point is if someone places illegal files on your server, you are responsible.

Any other examples? I want to make sure I don't miss anything else. On a side note, does anyone know where I can find exactly what some of these penalties are (time/monetary fees)?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
Jeff
  • 646
  • 5
  • 12
  • 1
    Illegal files are one problem. Becoming part of a botnet is another - their computers can be used to *actively attack* something - will they like that? – sharptooth Feb 07 '12 at 06:48
  • That will help. I am loking for anything like that. If there examples too, like, this company's server was part of a botnet and they were fined... or something. – Jeff Feb 07 '12 at 12:44
  • Please do not take our comments as actually legal advice, and unless you are a lawyer, do not give legal advice to your client. Notify them of the risks. Use proper words like "could be" "the chance of" do not give concret advice on a subject outside of your expertise. – Ramhound Feb 07 '12 at 14:31
  • Oh, you are right. I should have mentioned that. I am not a lawyer, and I will not be acting as such. I just want to make the information available to them, as in "if you don't patch, here are the technical risks, and here are the possible legal ramifications. You decide what direction to go in." – Jeff Feb 07 '12 at 14:35
  • @Jeff - The perfect case to make sure ALL servers are patched is what happen to both Sony and Symantec. Sony allowed millions of customers information be leaked because their servers were not running the most recent software. Symantec years ago was compromised, who knows the exact reason, its safe to assume it could have been prevented by either patching a peice of software or not having it even running. If the non-profit needs more reason then being compromised, and the damage caused by said compromised cannot be calculated is not enough, then they are a lost cause. – Ramhound Feb 07 '12 at 16:51
  • @Ramhound yes, you are right, but this organization stores no data from customers, has no pii of any kind on their servers, and doesn't engage in e-commerce. The website is essentially "Hey! We exist!" Maybe my question should be "is there any risk for them?" but I think there is. – Jeff Feb 07 '12 at 17:49

2 Answers2

1

It is still mostly the case that liability for computer breaches (not including disclosure of private information) is legally blameless. There are plenty of laws cropping up all over about data privacy, but as far as protection of computing resources themselves there isn't really a standard. "Gross negligence" on the Internet is still a basically non-existent standard. Thus, for ultimate liability you're probably in a very safe spot.

That said, nothing prevents a case from being brought and incurring court-related fees including legal representation. Investigations of misuse of your server may not result in any charges, but you could lose your servers for a long time while they're impounded as evidence. Law enforcement in the US at least is not known for very fast turnarounds.

Applying patches is usually much less expensive than either of those outcomes.

700 Software
  • 13,807
  • 3
  • 52
  • 82
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • See my comment on Yoav's answer. Is the server owner responsible for content hosted on the server (even if they didn't put it there)? – Jeff Feb 07 '12 at 17:56
  • 2
    @Jeff Generally no. Liability for most things requires intent. Thus, I've read cases about charges being dropped for walking through airport security with a handgun in a backpack and charges for child pornography dropped after it was shown to be the work of a neighbor or virus. Of course, the first case resulted in suspension of the individuals security clearance until the event was settled (it was restored), and the other two examples both resulted in the computer owners being publicly victimized even after being cleared because not everyone got the message. There are costs outside of court. – Jeff Ferland Feb 07 '12 at 18:02
0

Legal issues are very tricky, they change (some times dramatically) between different countries and jurisdictions. Even when there are clear laws and regulation (for example, privacy protection in the UK/EU), the penalties/fines are usually quite small, and the chances of 'getting caught' even lower. I am aware of some cases where violations were allegedly made, but the business did not seem to care, and in fact did not face any penalties as a result, or the penalties were small.

Placing 'illegal files' (whatever that may be), might or might not count as a legal breach, and might or might not carry any penalties. In some cases, it's enough to demonstrate that you deleted the files and put some better protection in place to avoid any penalty (that is, after 'being caught').

With that in mind, I think whilst on the face of it, legal risk may be a good way to emphasise why a company or organisation should protect its data. It might not be enough to make a convincing argument. Perhaps it's easier to find some other reasons (exposing financial details of the company, bad publicity or poor company image).

Of course, a lawyer in your country would advise you much better than I can. Especially if they specialise in these area (copyright, privacy, e-commerce etc)

and of course I forgot to mention that IANAL.

Yoav Aner
  • 5,299
  • 3
  • 24
  • 37
  • In other word using the "it might be illegal if something happens" reason to do something to prevent that possible illegal action is not a valid reason. There are lots of reasons to prevent something, if a company is hosting illegal files not placed there by the employees it means their servers are not secured, which means ANYTHING on the server could have been viewed and downloaded. Just look at the recent security issues in the last 2 years as proof. – Ramhound Feb 07 '12 at 16:46
  • Not sure I completely follow your train-of-thought, but the question was about Legal risks. Of course there are many other good reasons to secure your servers. I think I even tried to make this clear on my answer. – Yoav Aner Feb 07 '12 at 17:42
  • I think I'll probably go about it with the bad publicity/poor image approach. The tricky thing with this org is that they don't sell anything, they don't collect info from people. I guess my thought is, if a pedo were to start storing his personal videos on these servers, is there legal ramifications (in the US)? The bad light this puts this org in would of course be enough for them to patch, but are they responsible legally? – Jeff Feb 07 '12 at 17:54